Don't forget to think out a deeper solution. If you can get file upload on the server you can upload arbitrary binaries and ASP content to achieve this. Don't think of pen testing as, "I have one exposed service, is there a remote exploit?" Can you find SQLi and execute code that way?

Again, they do not run any web applications. This is why I asked about IIS specifically. The PHRACK issue I would say does not indeed point to any reliable exploit. Thank you for your time but I pwnd this shit on my own.

camelCase wrote: Thank you for your time but I pwnd this shit on my own.

Perhaps you'd care to share and help us increase the community knowledge?

Yeah, that line didn't exactly sit well with me. I'm certain it didn't carry the attitude that I interpreted, when I read it. (At least, I'd hope not. ) And yes, I'm with tturner. If you pwned it, please share, if for no other reason than to increase everyone's knowledge and abilities.

Oh, and assuming you did pwn it... Congrats!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

It had to do it by sending syn packets with scapy and backing off TTL until the firewall responded with an error packet containing its IP, finding out that the firewall was misconfigured and had its config interface in front of me, guessing the correct password, dumping its config, ssh tunneling through the firewall and proxy scanning the server, enumerating some users, discovering a user with pass as user, looking in the sysvol, finding a bat script with domain admin permissions and rdp. So still not just IIS or web app but just pure luck. I think that is vague enough to not give up any confidential data but informative enough to "share". :-)